User authentication in communication systems

ABSTRACT

Methods and systems are provided for user authentication in communication systems. An identification token may be generated in response to a request from a user terminal to load a web page. The identification token may comprise a network address associated with the user terminal, and a time stamp indicating when the network address was used by the user terminal. User authentication information relating to the identification token may then be obtained to authenticate a user of the user terminal. The user terminal may be instructed to request the identification token in response to requesting the web page.

CLAIM OF PRIORITY

This patent application claims the filing date benefit of and the rightof priority to European (EP) Patent Application Serial No. 16202699.1,filed on Dec. 6, 2016. The above application is hereby incorporatedherein by reference in its entirety.

TECHNICAL FIELD

The present disclosure relates to communication solutions. Inparticular, various implementations in accordance with the presentdisclosure relate to user authentication in communication systems.

BACKGROUND

Conventional methods and systems for authenticating users can be costly,cumbersome and inefficient. Further limitations and disadvantages ofconventional and traditional approaches will become apparent to one ofskill in the art, through comparison of such systems with some aspectsof the present disclosure as set forth in the remainder of the presentapplication with reference to the drawings.

BRIEF SUMMARY OF THE DISCLOSURE

Systems and/or methods are provided for user authentication incommunication systems, substantially as shown in and/or described inconnection with at least one of the figures, as set forth morecompletely in the claims.

These and other advantages, aspects and novel features of the presentdisclosure, as well as details of an illustrated implementation thereof,will be more fully understood from the following description anddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Various features and advantages of the disclosure will become apparentfrom the following description of non-limiting exemplaryimplementations, with reference to the appended drawings, in which:

FIG. 1 is a block diagram illustrating elements of an examplecommunication network that may be configured for supporting userauthentication in accordance with the present disclosure.

FIG. 2 is a flow chart illustrating an example process forauthenticating a communication party in a communication networkaccording to a first example implementation in accordance with thepresent disclosure.

FIG. 3 is a flow chart illustrating an example processing forauthenticating a communication party in a communication networkaccording to a second example implementation in accordance with thepresent disclosure.

DETAILED DESCRIPTION OF THE DISCLOSURE

As utilized herein the terms “circuits” and “circuitry” refer tophysical electronic components (e.g., hardware), and any software and/orfirmware (“code”) that may configure the hardware, be executed by thehardware, and or otherwise be associated with the hardware. As usedherein, for example, a particular processor and memory (e.g., a volatileor non-volatile memory device, a general computer-readable medium, etc.)may comprise a first “circuit” when executing a first one or more linesof code and may comprise a second “circuit” when executing a second oneor more lines of code. Additionally, a circuit may comprise analogand/or digital circuitry. Such circuitry may, for example, operate onanalog and/or digital signals. It should be understood that a circuitmay be in a single device or chip, on a single motherboard, in a singlechassis, in a plurality of enclosures at a single geographical location,in a plurality of enclosures distributed over a plurality ofgeographical locations, etc. Similarly, the term “module” may, forexample, refer to a physical electronic components (e.g., hardware) andany software and/or firmware (“code”) that may configure the hardware,be executed by the hardware, and or otherwise be associated with thehardware.

As utilized herein, circuitry or module is “operable” to perform afunction whenever the circuitry or module comprises the necessaryhardware and code (if any is necessary) to perform the function,regardless of whether performance of the function is disabled or notenabled (e.g., by a user-configurable setting, factory trim, etc.).

As utilized herein, “and/or” means any one or more of the items in thelist joined by “and/or”. As an example, “x and/or y” means any elementof the three-element set {(x), (y), (x, y)}. In other words, “x and/ory” means “one or both of x and y.” As another example, “x, y, and/or z”means any element of the seven-element set {(x), (y), (z), (x, y), (x,z), (y, z), (x, y, z)}. In other words, “x, y and/or z” means “one ormore of x, y, and z.” As utilized herein, the term “exemplary” meansserving as a non-limiting example, instance, or illustration. Asutilized herein, the terms “for example” and “e.g.” set off lists of oneor more non-limiting examples, instances, or illustrations.

Certain example implementations in accordance with the presentdisclosure may be found in systems and methods for user authenticationin communication systems and/or networks (e.g., the Internet), asdescribed below in more detail below. In this regard, hypertext transferprotocol (HTTP) header enrichment may allow network operators toannotate HTTP connections via the use of a wide range of headers.Network operators may employ proxies to introduce such headers foroperational purposes, and also to assist advertising programs inidentifying the network user responsible for the originating traffic,with significant consequences for the user's privacy. Use of HTTP headerenrichment may enable network operators to append information into HTTPtraffic (e.g., an identifier, such as the mobile station internationalsubscriber directory number (MSISDN)) to enable attribution of networkresources to specific users, performance enhancement, analytics, andcontent access control and customization. Furthermore, network operatorsmay monetize their network and user base through advertising programs bytaking advantage of their position to inject unique tracking identifiersinto every HTTP request, popularly known as “super-cookies.”

However, HTTP header enrichment may have some disadvantages. Forexample, HTTP header enrichment may have serious consequences formillions of mobile subscribers all over the world. Standardizationefforts and best practices suggest that service providers remove headerenrichment at their network boundary to prevent privacy leaks. Inreality, however, the injected HTTP headers often are not removed. Thus,any web server visited from a mobile device may use this information forpurposes adverse to user interests, such as user discrimination andonline tracking. Network users lack legal protections against thesepractices, which happen in a manner invisible to most of them.Furthermore, typical network users lack the mechanisms and knowledge toprevent operators from performing header injection and to stop onlineservices from collecting their information. In general, too much trafficis header enriched, even if web servers do not request the headerenrichment. More importantly, header enrichment does not work with HTTPsecure (HTTPS), since adding or removing any header data would break theend-to-end encryption between the user and a web server.

Accordingly, the present disclosure may allow overcoming at least someof the disadvantages of existing salutation, such as the problemsidentified above and to avoid header enrichment in communicationsystems. In particular, in various example implementations in accordancewith the present disclosure enhanced measures may be used toauthenticate a user in more secure way. In this regard, in accordancewith the present disclosure, users may be authenticated without the needto modify communication traffic—e.g., HTTPS traffic between userterminals and web servers.

One advantage of example implementations in accordance with the presentdisclosure is that the user authentication may be done without requiringuse of a second (secure) channel, such as a short message service (SMS)channel. Thus, the user terminal does not need to be a phone. Rather, itmay be any electronic device that may allow launching and using of a webbrowser to access particular web server(s).

Another advantage is that example implementations according to thepresent disclosure provide are very efficient. For example, in someimplementations identification tokens may be used, Such identificationtokens are generated and sent to the web server (by the token generator)only under particular conditions—e.g., in response to a specific requestfrom the web server.

Another advantage is adaptability and compatibility with existingsolutions. For example, example implementations according to the presentdisclosure may be practiced with requiring that web pages contain anyunsecure HTTP components (all the web page components can be HTTPScomponents). In other words, when loading the web page, all thecommunications between the web server and the user terminal can be basedon HTTPS. Furthermore, by implementing the method, header enrichment canbe avoided.

In a particular example implementation, a network processing unit may beutilized to support user authentication in accordance with the presentdisclosure.

While some of the example implementations in accordance with the presentdisclosure are described in the context of a communication or computernetwork that uses Internet protocol (IP) to link devices of thecommunication network, the disclosure should not be understood to belimited to such environment. Rather, the solutions described withrespect to the present disclosure may apply to various types ofcommunication systems and/or networks, particularly used to identifyand/or to authenticate a communication party in a communication network.This is beneficial for example when carrying out web transactionsincluding online shopping. Identical or corresponding functional andstructural elements which appear in the different drawings are assignedthe same reference numerals.

FIG. 1 is a block diagram illustrating elements of an examplecommunication network that may be configured for supporting userauthentication in accordance with the present disclosure. Shown in FIG.1 is an example communication network 1 that may be configured forsupporting user authentication.

The communication network 1 may comprise a wireless and/or wired basednetwork. The communication network 1 may comprise various elements. Inthis regard, each of the elements of the communication network 1 maycomprise suitable circuitry for implementing various aspects of thepresent disclosure. Such circuitry may comprise, for example, general ordedicated processing circuitry, storage circuitry, communication-relatedcircuitry, etc. In some instances, a network element may be implementedas a single physical apparatus, which may reside centrally in thenetwork. In other instances, however, the various steps and/or relatedoperations may be performed by various different components and/orsubsystems of the network. In this regard, the different componentsand/or subsystems may interact with each other, and data or controlservices may be performed or handled either in a centralized way, or mayhave their functionalities distributed among the different subsystems,for example leveraging the cooperation between the different subsystems.

As shown in FIG. 1, the communication network 1 may comprise acommunication device (e.g., user terminal) 3, a third party web server5, a proxy server (e.g., mobile proxy server) 7, a token generationserver (referred hereinafter as “token generator”) 9, a networkprocessing unit 11 (e.g., an application programming interface (API)device), and a database (DB) 13. In this regard, each of the elementsshown in the example implementation illustrated in FIG. 1 may be aphysically separate network element.

The communication device 3 may comprise a user or subscriber terminal orsimply a terminal (and is referred to as such hereinafter), such as amobile phone or a smartphone or a tablet, for example. As shown in FIG.1, the user terminal 3 may be the only wireless element in the network1. The user terminal 3 may allow launching and using a web browser, suchas for browsing web pages on the internet forming a global system ofinterconnected computer networks that use the IP to link devicesworldwide by a broad array of electronic, wireless and/or opticalnetworking technologies. In this regard, a web browser is a softwareapplication for retrieving, presenting, and traversing informationresources on the World Wide Web (WWW). In the example use scenariodescribed in FIG. 1, the user terminal 3 may load web pages or web sitesfrom the web server 5.

As shown in this example use scenario illustrated in in FIG. 1, all thetraffic between the user terminal 3 and the third party server 5transits via the proxy server 7, which may comprise a mobile proxyserver (and is referred to hereinafter as a “mobile proxy”). The mobileproxy 7 may be configured to carry out for instance network addresstranslation (NAT), which is a method of remapping one IP address spaceinto another by modifying network address information in IP datagrampacket headers while they are in transit across a traffic routingdevice, in this example the mobile proxy 7. In a network operating in atraditional manner, the mobile proxy would also typically implement theheader enrichment. However, according to the present invention, headerenrichment is not needed.

The token generator 9 may be configured for generating data elements,referred to as identification tokens (or simply tokens), which may beutilized in user authentication, as explained in more detail below. Inan example implementation, the token generator 9 may be configured tocommunicate bidirectionally with the user terminal 3 or with other userterminals (not shown in FIG. 1). Further, in some implementations and/oruse scenarios, the token generator 9 may not be configured tocommunicate with other types of communication network elements such asthe web server 5. The token generator 9 may receive data from the userterminal 3, and may directly send the tokens to the web server 5 via themobile proxy 7.

The network processing unit (or API) 11 may be configured tobidirectionally communicate with the web server 5, while the database(DB) 13 may be configured to bidirectionally communicate with the API11. The database 13 may comprise a table listing network addressinginformation—e.g., IP addresses of a given IP range (for example the IPaddress range of the network operator to which the database belongs)linked to a particular user terminal. In other words, each IP address inthe database 13 may be linked to an identifier (e.g., an identificationnumber) of a user terminal or its subscriber identity module. Theidentifier may be the MSISDN, for example. Each IP address-identifierpair may also have additional information—e.g., an associated time stampindicating a time instant when a particular IP address was used by auser terminal of a particular subscriber identity module, or a timeperiod in which a particular IP address was used by a user terminal of aparticular subscriber identity module. The token generator 9 may notrequire any persistent data storage. In other words, once a token isissued and sent, the token can be deleted and there is no need to storeit any longer.

In an example implementation, one mobile proxy 7, one token generator 9,one API 11 and one database 13 may be required for each networkoperator. Furthermore, it is possible that the API 11 and the database13 may be combined into a single physical element rather than beimplemented as two separate physical elements, as shown in the FIG. 1(and referenced as such in the remaining figures).

FIG. 2 is a flow chart illustrating an example process forauthenticating a communication party in a communication networkaccording to a first example implementation in accordance with thepresent disclosure. Shown in FIG. 2 is flow chart 20 illustrating anexample process for user authentication in accordance with the presentdisclosure. In this regard, as a non-limiting example, the processrepresented by flow chart 20 is described with reference to thecommunication network 1 of FIG. 1.

In step 21, a user of the user terminal 3 may initiate a web-basedapplication in the user terminal 3—e.g., opening a web page located atthe web server 5. For example, the user requests the web page contentfrom the web server 5.

In step 23, the web server 5 detects that the request is coming throughthe NAT (and has a certain IP address range). In this regard, it is tobe noted that at least some of the network elements (e.g., the networkelements within the boundary defined by the dashed line in FIG. 1) havethe same IP address range—that is, they belong to the same network orsub-network. Such zone may be considered to be a demilitarized zone (incomputing terms), which is a physical and/or logical sub-network.

In step 25, the web server 5 enables the user terminal 3 to access thetoken generation 9. For example, the web server 5 may enable a script(e.g., a Java script), to enable the user terminal 3 to access the tokengenerator 9. Alternatively, the web server 5 may issue a redirectcommand (e.g., uniform resource locator (URL) redirect command) toredirect the user terminal 3 to the token generator 9, to request theidentification token from the token generator 9.

In step 27, the user terminal 3 sends the request to the token generator9, such as by executing the script enabled by the web server 5. Forexample, the execution of the script triggers the user terminal 3 tosend the request to the token generator 9. If the sole purpose of thetoken generator 9 is to issue and deal with tokens, then the requestsent in step 27 may not need to take any parameters (e.g., the requestcould simply be “get( )” invocation—that is, it may be an empty HTTP orHTTPS request), because the token generator 9 would interpret anymessage it receives as a request to issue a token.

In step 29, the token generator 9 identifies the private IP address ofthe user terminal 3. The IP address may be detected from, e.g., therequest received from the user terminal 3.

In step 31, the token generator 9 generates a token and sends it to theuser terminal 3. For example, the token may be generated based on the IPaddress of the user terminal 3 and a time stamp indicating the time whenthe user terminal 3 used the IP address. In other words, the tokencomprises the IP address of the user terminal 3 and the time stamp forthe IP address. Thus, the token may be considered to be a function ofthe time and IP address valid at that moment. It is to be noted that ininstances where the user terminal 3 may be a mobile terminal, its IPaddress may change frequently.

In step 33, the user terminal 3 receives the token and forwards it tothe web server 5 via the mobile proxy 7, The communications between theuser terminal 3 and the token generator 9 may be encrypted. In thisregard, separate transportation encryption and token encryption may beused. Thus, the elements in the network 1 may use secure protocols toexchange the token. Encryption may also be used for the communicationsbetween the user terminal 3 and the web server 5. In an exampleimplementation and corresponding user scenario, the token is encryptedby the token generator 9 with a public key of the API 11. Thus, in thisexample, the only entity capable of decrypting the token may be the API11. The token generator 9 (or other elements encrypting data) may use astrong encryption with salt for example to avoid attacks against theencryption. If such a strong encryption is not used, an attacker may beable to retrieve many tokens in a very short time, and could possiblyguess that only one byte/bit changes. This could be an attack vector.This may be overcome by use of additional measures, such as salting—thatis, by using salt to change many bits. In this regard, salting comprisesadding a random number to the token content so that a brute forceattacker cannot guess the password used to encrypt the data. A salt israndom data that is used as an additional input to a one-way functionthat hashes a passphrase or password. Other techniques may be used,however. For example, instead of salt, another random number orpseudorandom number generator may be used to make the encryptionstronger.

In step 35, the web server 5 generates a request using the token as aquery parameter and sends the request to the API 11. This step may alsoinclude first decrypting the message received from the user terminal 3and then encrypting the request to be sent to the API 11.

In step 37, the API receives the request and verifies its freshness(using the time stamp) and that it is from a recognized partner (e.g.,that the web server belongs to the same network operator as the API 11).This step may also comprise decrypting the request if the request isencrypted to extract the IP address and time stamp.

In step 39, the API 11 sends an identification request (to receivesubscriber information) to the database 13. For example, theidentification request may use the IP address and time stamp to querythe database 13. In such example use scenario, the API 11 utilizes theMSISDN of the user terminal 3. Thus, the identification request in thisexample indicates that the API 11 queries the MSISDN of the userterminal 3 to which the token relates or is associated. It is alsopossible, that the MSISDN (or another parameter instead) is returned bydefault every time the database 13 receives a request from the API 11.Since the connection between the API 11 and the database 13 is secured,there may not be any need to encrypt the communications between thesetwo elements.

In step 41, the database 13 fetches the requested information associatedwith the token and sends it to the API 11. As explained above, thedatabase 13 “knows” when a particular user terminal 3 used a particularIP address (e.g., based on the associated timestamp). The database 13may store supplementary user information or data relating to aparticular user terminal or to its subscriber identity module. Thesupplementary user information may comprise, e.g., the name, postaland/or home address, email address, secondary phone number, birthday,user terminal hardware identifier, preferred payment process, paymentcard details, etc.

In step 43, the API 11 forwards the requested information to the webserver 5 and preferably encrypts (e.g., with the public key of the webserver 5) the information before sending it. As a result, the web server5 would at this point have identified or authenticated the user terminal3.

In step 45, the web server 5 forwards at least part of the informationto the user terminal 3. Alternatively or additionally, the informationcould also be used by the web server 5, such as for tracking,statistics, etc. If the web server 5 only received the MSISDN forexample, then it may request at least some of the supplementaryinformation relating or associated to the MSISDN before forwarding theinformation to the user terminal 3.

The above-described process may be used as an authentication process fortransactions or web services. In the above process, the token may betransported in an HTTP or HTTPS payload between various networkelements. It is to be noted that HTTP or HTTPS messages comprise apayload portion for the data content which needs to be transferred andan overhead portion or header, different from the payload portion. Theprocess allows the web server 5 to reliably authenticate the user of theuser terminal 3. A major advantage of the process is that the userterminal 3 from which a HTTP(S) stream originates can be unambiguouslyidentified without user interaction. The process may be triggered forexample if the user clicks on a specific link on a web page. The linkmay be a confirmation to buy an item online, for instance. In this case,in step 45, the web server 5 would send some data relating to thesubscriber to the user terminal 3 so that the browser of the userterminal could automatically fill in a form relating to the transaction.The form could have fields for the same information as the web server 5received from the database 13 (via the API 11). Furthermore, the webserver 5 and the user terminal 3 can be confident that the informationprovided is correct and accurate since the information was obtained froma reliable source (the database 13).

FIG. 3 is a flow chart illustrating an example processing forauthenticating a communication party in a communication networkaccording to a second example implementation in accordance with thepresent disclosure. Shown in FIG. 3 is flow chart 30 illustrating anexample process for user authentication in accordance with the presentdisclosure. In this regard, the process represented by flow chart 30 isdescribed with reference to the communication network 1 of FIG. 1.

The process illustrated in FIG. 3 to this example implementation issubstantially similar to the process of the first example, as describedwith respect to FIG. 2. However, according to the second example processillustrated in FIG. 3, the token generator 9 does not send the token tothe user terminal 3. Rather, in this process variant, in step 33, thetoken generator 9 sends the token directly to the web server 5.Furthermore, according to this process variant, a session identifier(ID) of the browsing session is used in the process to make sure thatvarious messages are linked to the correct browsing session. In thisexample, the session ID is included in the messages sent in steps 27, 33and 45. It is to be noted that according to the first example, thesession ID may not be needed. In some instances, the token generator 9communicates directly with the API 11 and the database 13 and then sendsthe payload (e.g., the MSISDN) to the user terminal 3 or to the webserver 5.

Further, in this process variant, the token is not received by the API11 via the web server 5. Also in this process variant, the session IDmay be used in a manner similar to what was explained above. Thisprocess variant assumes that the token generator 9 knows how to directlyreach the API 11.

In an example implementation, the operation of the web server 5 can besummarized in the following manner. The web server 5 receives a firstrequest from the user terminal 3 to load a web page. The web serverinstructs the user terminal 3 to request an identification token fromthe token generator 9. The web server 5 receives the identificationtoken issued by the token generator 9, the identification tokencomprising a network address associated with a time stamp indicatingwhen the network address was used by the user terminal 3. The web server5 sends a second request comprising the identification token to theprocessing unit 11. The web server 5 receives user authenticationinformation relating to the identification token from the networkprocessing unit 11 to authenticate the communication network user.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, such illustration and descriptionare to be considered illustrative or exemplary and not restrictive, theinvention being not limited to the disclosed embodiment. Otherembodiments and process variants are understood, and can be achieved bythose skilled in the art when carrying out the claimed invention, basedon a study of the drawings, the disclosure and the appended claims. Forexample, it would be also possible to determine a unique user terminalID, such as a media access control (MAC) address of the user terminal 3,to authenticate the user terminal 3.

Other embodiments of the disclosure may provide a non-transitorycomputer readable medium and/or storage medium, and/or a non-transitorymachine readable medium and/or storage medium, having stored thereon, amachine code and/or a computer program having at least one code sectionexecutable by a machine and/or a computer, thereby causing the machineand/or computer to perform the steps as described herein. In an exampleimplementation, a computer program product may be arranged to executethe process described above. The computer program product may be run bythe web server 5 and/or by the network processing unit 11, for example.

Accordingly, the present disclosure may be realized in hardware,software, or a combination of hardware and software. The presentdisclosure may be realized in a centralized fashion in at least onecomputer system, or in a distributed fashion where different units arespread across several interconnected computer systems. Any kind ofcomputer system or other apparatus adapted for carrying out the methodsdescribed herein is suited. A typical combination of hardware andsoftware may be a general-purpose computer system with a computerprogram that, when being loaded and executed, controls the computersystem such that it carries out the methods described herein.

The present disclosure may also be embedded in a computer programproduct, which comprises all the features enabling the implementation ofthe methods described herein, and which when loaded in a computer systemis able to carry out these methods. Computer program in the presentcontext means any expression, in any language, code or notation, of aset of instructions intended to cause a system having an informationprocessing capability to perform a particular function either directlyor after either or both of the following: a) conversion to anotherlanguage, code or notation; b) reproduction in a different materialform.

While the present disclosure makes reference to certain embodiments, itwill be understood by those skilled in the art that various changes maybe made and equivalents may be substituted without departing from thescope of the present invention. In addition, many modifications may bemade to adapt a particular situation or material to the teachings of thepresent invention without departing from its scope. Therefore, it isintended that the present disclosure not be limited to the particularembodiment disclosed, but that the present disclosure will include allembodiments falling within the scope of the appended claims.

What is claimed is:
 1. A method for authenticating users in acommunication network, the method comprising: generating anidentification token in response to a user terminal loading a web pagefrom a web server, wherein: the identification token comprises a networkaddress associated with a time stamp indicating when the network addressis used by the user terminal; and generating the identification token istriggered by the web server, wherein the triggering is in response to arequest from the user terminal to load the web page; obtaining userauthentication information associated with the network address and thetime stamp, wherein the user authentication information comprises aunique communication network user identifier; and sending the userauthentication information to the user terminal or to the web server forauthenticating the user of the communication network.
 2. The methodaccording to claim 1, wherein the triggering comprises, beforegenerating the identification token, instructing the user terminal torequest the identification token in response to receiving by the webserver of the request from the user terminal to load the web page. 3.The method according to claim 1, comprising, in response to receivingthe request, enabling by the web server a script to be executed by theuser terminal to request the identification token.
 4. The methodaccording to claim 3, wherein the execution of the script triggers theuser terminal to request the identification token from a tokengenerator.
 5. The method according to claim 1, comprising, in responseto the request, issuing by the web server a redirect command to redirectthe user terminal to a token generator to request the identificationtoken.
 6. The method according to claim 1, wherein the userauthentication information comprises at least one of the following: nameof the user, physical address of the user, email address of the user,secondary phone number of the user, user terminal identifier, birthdayof the user, preferred payment method of the user and payment carddetails of the user.
 7. The method according to claim 1, comprisingobtaining the user authentication information from a database associatedwith the communication network.
 8. The method according to claim 7,wherein the database comprises a table of network addresses, with eachnetwork address linked to a particular network user and to a time stamp.9. The method according to claim 1, wherein the identification token isassociated with a session identifier of a web browsing session of theuser terminal.
 10. The method according to claim 1, comprisingencrypting the identification token for communication between at leasttwo different network elements in the communication network.
 11. Asystem for authenticating users in a communication network, the systemcomprising: a token generator comprising one or more circuits, the tokengenerator being operable to generate an identification token in responseto a user terminal loading a web page, wherein: the identification tokencomprises a network address associated with a time stamp indicating whenthe network address is used by the user terminal; and generating theidentification token is triggered by a network element that provides theweb page, wherein the triggering is in response to a request from theuser terminal to load the web page; a network processing unit comprisingone or more circuits, the network processing unit being operable to:receive the generated identification token; obtain user authenticationinformation associated with the network address and the time stamp,wherein the user authentication information comprises a uniquecommunication network user identifier; and send the user authenticationinformation to the user terminal or to the network element providing theweb page for authenticating the user of the communication network. 12.The system according to claim 11, wherein the network element thatprovides the web page comprises a web server comprising one or morecircuits, the web server being operable to, before the networkprocessing unit receives the identification token: receive a requestfrom the user terminal to load a web page; and in response, triggerrequesting the identification token by instructing the user terminal torequest the identification token from the token generator.
 13. Thesystem according to claim 12, wherein the web server, in response toreceiving the request, is operable to enable a script to be executed bythe user terminal to request the identification token.
 14. The systemaccording to claim 13, wherein the user terminal is operable to executethe script, the execution of the script triggering the user terminal torequest the identification token from the token generator.
 15. Thesystem according to claim 12, wherein the web server, in response toreceiving the request, is operable to issue a redirect command toredirect the user terminal to a token generator to request theidentification token.
 16. The system according to claim 12, wherein,before the network processing unit receives the identification token,the web server is operable to: receive the identification token from thetoken generator; and send a request comprising the identification tokento the network processing unit.
 17. The system according to claim 16,comprising a network address translator unit, wherein the web server isoperable to receive the identification token directly from the tokengenerator via the network address translator unit.
 18. The systemaccording to claim 11, wherein the network processing unit is operableto access a database of the communication network to obtain the userauthentication information.
 19. The system according to claim 11,wherein the token generator is operable to encrypt the identificationtoken before sending it to the network processing unit.